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Abstract. Individual machines in flexible production lines explicitly expose ca¬ 
pabilities at their interfaces by means of parametric skills (e.g. drilling). Given 
such a set of configurable machines, a line integrator is faced with the problem of 
finding and tuning parameters for each machine such that the overall production 
line implements given safety and temporal requirements in an optimized and ro¬ 
bust fashion. We formalize this problem of configuring and orchestrating flexible 
production lines as a parameter synthesis problem for systems of parametric timed 
automata, where interactions are based on skills. Parameter synthesis problems 
for interaction-level LTL properties are translated to parameter synthesis prob¬ 
lems for state-based safety properties. For safety properties, synthesis problems 
are solved by checking satisfiability of 3VSMT constraints. For constraint gener¬ 
ation, we provide a set of computationally cheap over-approximations of the set 
of reachable states, together with fence constructions as sufficient conditions for 
safety formulas. We demonstrate the feasibility of our approach by solving typical 
machine configuration problems as encountered in industrial automation. 


1 Introduction 

We consider the problem of automatically configuring and orchestrating a set of pro¬ 
duction machines with standardized interfaces. For example, machine interfaces in the 
packaging industry are expressed in the standardized PackMlJ^] notation, and skill sets 
such as fill-box or drill have recently been introduced, in the context of flexible production 
lines of the Industrie 4.0 programme, for describing parametric machine capabilities 

Given such a set of configurable machines, a production line integrator is faced with 
the task of finding and tuning parameters for each machine such that the overall pro¬ 
duction line satisfies required safety and temporal constraints. Typical line requirements 
from the practice of industrial automation include, for example, line-level safety, error¬ 
handling, and the orchestrated execution of sequences of skills intermixed with machine- 
to-machine communication primitives. In addition, production lines are usually required 
to perform in an optimized and robust manner. 

We tackle this problem of orchestrating and configuring parametric production sys¬ 
tems by means of parameter synthesis problems for systems of interacting parametric 
timed automata (PTAs), where multi-party interactions between individual PTAs repre¬ 
sent skills and machine-to-machine communication. 

In a first step, parameter synthesis problems for interaction-level linear temporal 
logic (LTL) )2S properties are translated, based on constructions in bounded synthe¬ 
sis |23I9I13| . into parameter synthesis problems for state-based safety properties. The 

* Part of this work has been initiated at ABB Research. 

3 http://www.omac.org/content/packml 

4 http://www.autonomik40.de/en/QPAK.php 





key element here is the construction of a deterministic monitor similar to bounded LTL 
synthesis. Due to the use of clocks, however, there are some technical differences to this 
well-known construction, including a different upper bound of the maximum number of 
required unrolling steps. Whenever parameters are integer bounded, we demonstrate the 
existence of a sufficient upper bound for unrolling the negated property automata, such 
that one can conclude that no parameter assignment can guarantee the specified LTL 
property. 

Then, parameter synthesis problems for safety properties are transformed to solving 
3VSMT satisfiability problems of the form 3a; : \/y : Reach(x, y) —> {^deadiockixpy) A 
Psafe{x,y)), where x represents the set of parameters to be synthesized, y represents 
all the component states including local clocks, Reach represents the set of reachable 
states, ~^(t>deadiock{x,y) denotes deadlock freeness, and p sa f e denotes the required safety 
condition. In general, the computation of the parametric image Reach is undecidable 
for parameters of unbounded domain [2]. For bounded (integer) parameters, however, 
Reach can be computed precisely by enumerating all valuations of parameters and, sub¬ 
sequently, constructing the region graph for each parameter valuation. Usually, zone 
or region diagrams mm are holistic (computationally expensive) approaches used to 
compute precise images for parameters of bounded domain or abstraction for parameters 
of unbounded domains. Instead, we are proposing a set of computationally-cheap over¬ 
approximations of Reach for avoiding eager and expensive computations of Reach. Novel 
constructions include over-approximations based on finite depth interaction-history and 
fence constructions for guaranteeing safety. We also demonstrate the usefulness of these 
over-approximations with examples based on flexible production systems. 

Due to the proposed reduction of parametric synthesis problems to general 3VSMT 
formulas, one may encode and simultaneously solve both qualitative and quantitative 
(e.g., min, lexicographic) requirements on synthesized solutions. Moreover, the 3V-centric 
encoding of this paper also allows for the synthesis of non-timing parameters. Our use of 
two SMT solvers for solving 3VSMT is an extension of using two SAT solvers for solving 
2QBF formula [20]. The new approach here is to exploit this decoupling to also integrate 
quantitative aspects in solving synthesis problems. 

To validate our approach, we have implemented a prototype which includes an 3V 
constraint generator and an 3V constraint solver (EFSMT). Our initial experiments are 
encouraging in that our prototype implementation reasonably deals with synthesis prob¬ 
lems from our benchmark set with 20 unknown parameters and 10 clocks; that is, the 
proposed synthesis algorithms seems to be ready to handle the fully automatic orches¬ 
tration of, at least, smaller-scale modular automation systems. 

Related Work. Verification and synthesis of parametric timed automata have recently 
been considered, among others, by mm- These techniques have also been imple¬ 
mented in the tools I1V1ITATOR. and Romeo ESI. which search for constraints on pa¬ 
rameters for guaranteeing the existence of a bisimulation between any timed automata 
(TA) satisfying the constraints and an initial instantiation of the input PTA. One of 
the main differences between solving strategies centers around forward versus backwards 
search, as Romeo starts, using a CEGAR-like strategy, from a counterexample, whereas 
IMITATOR starts from a good initial valuation of the parameters. In contrast, we are 
finding the right parameter values which guarantee that the system is deadlock free, 
and satisfies state-based and interaction-level properties. Existing approaches, which are 
based on computing and exhaustively exploring the global state space, usually do not 
perform well even for relatively simple properties such as deadlock-checking, and their 
implementations are currently restricted to handle problems with only a relatively small 






number (in the order of ten) automata, contrast, we apply a constraint-based solving 
approach and use a number of compositional techniques for generating local timing in¬ 
variants for efficiently solving 3V-formulae with EFSMT. Apart from scalability, the 3V- 
centric approach also allows for the integration of quantitative objectives. Finally, to 
the best of our knowledge, current verification and synthesis tools such UPPAAL WL 
IMITATOR, or Romeo do not support neither multi-party interactions nor qualitative 
interaction-level properties (LTL). 

Organization of the paper. Section [2] recalls the basic definitions for PTAs, safety 
and transaction-level properties for interacting systems of PTAs, and the orchestration 
problem for these systems of PTAs. The main technical developments for solving timed 
orchestration synthesis are presented in Section [3| Section [5] provides some experimental 
results with a prototype implementation. Final conclusions are summerized in Section [6] 

2 Parametric Component-based Systems and Properties 

We briefly review some basic notions for systems of parametric timed automata, and 
formally state the problem of timed orchestration synthesis. 

Definition 1 (Component). A component C(Q, q, X, P, Jump, Inv) is a parametric 
timed automaton, where: 

— Q is a finite set of locations, and q £ Q is the initial location 

— X is the set of clock variables 

— P is a finite set alphabet called ports (edge labels) 

— — >C Q x Guards x P —»• Q x Resets is the set of discrete jumps between locations. 
Guards is the conjunction of inequalities of the form x ~ k; Resets C X is a set of 
clock variables to be reset after discrete jump. We assume that every port p £ P is 
associated with only one discrete jump in Jump 

— Inv is the set of location conditions mapping locations to conjunctions of disequalities 
of form x < k 

with x £ X, k £ No U V and ~ £ {=, >, >}. 

For ease of reference, we use the notation C.p to denote the port p of component C, as 
shown in Fig. |T] 

Definition 2 (System). A system is a tuple S = (V,C,E,A), where: 

— V is a finite set of unknown parameters 

— C = \JZi C is a finite set of components 

— E is a finite set of system-level events (interactions ), called interaction alphabet. 

— A : E —U™i Pi associates each interaction a with some ports within components. 
We assume that every port is associated with at least one interaction. 

The concrete semantics of a system under a valuation of the unknown parameters 
follows the standard semantics of timed automata [3], except that discrete jumps are 
synchronized by interactions (see [6j for details). A time run is a maximal sequence of 
transitions (qo,v 0 ) ^ (<2i,ui) ^ ■■ •(?«,«„) ^ (q n +i, v n+ i)... where q, denotes a 
location in the system S, <Ji is an interaction and v, is a valuation of the clocks in S. 

For the ease of reference, we introduce the following notations. For a £ E, we denote 
en t (a) to be the necessary condition for enabling a location combination to trigger a 


Roboti Buffer x Robot 2 



Interactions and associated ports within components 

takell {Robot i.occupy-1, Buffe^.take} 

take2r {Roboti. occupy-r, Buffer 2 . take} 

releasel {Roboti .release, Buffe^. release, Buffer 2 . release} 

take2l {Robot 2 .occwpy-1, Buffer 2 .take} 

take2r {Robot 2 .occupy-r, Buffer^.take} 

release2 {Robot 2 .release, Buffer x . release, Buffer 2 . release} 

reset {i?o6oti.end, Robot 2 -end} 


Fig. 1. Parametric robot stations with shared buffer locations. 


by only allowing finite-time evolving, where the definition of en t (a) is taken from 23]. 
If from a location q one can delay the triggering of a indefinitely, then erf {a) for that 
location is by default false. Given a valuation v assigning the variables in V , S(v) denotes 
the resulting concrete timed system and en t (cr)(v) denotes the resulting constraint of 
enabling conditions. For infinite time runs p with infinite discrete jumps, we use ps to 
denote the corresponding w-word with symbols from the interaction alphabet. 

Figure [l] illustrates these concepts by means of a variation of the resource contention 
problem in terms of timed-based control over robots, which is used as a running example. 


Example 1. Given n robots, robot i first accesses buffer i then buffer (i — l)%n. Figure[l] 
depicts the system for n = 2, with the set of unknown parameters V = {aq,a 2 ,/?i, 
/® 2 i 7 i) 72 i 77i, ^ 72 }- Each Roboti has four ports {occupy-l, occupy-r, release, end}. This sys¬ 
tem has the interactions E = {takell, takelr, releasel, take 2 l, take 2 r, release 2 , reset}, and A 
is defined to the right of Figure [l] For en 4 (releasel), the necessary condition for interac¬ 
tion releasel to eventually take place without discrete jumps, is p 13 A /n A /21 A ( t\ < 
3) A (2 — 1\ < 3 — ti) A (3 — ti < aq — t Sl ) A SR 0 bot 2 - The trivial condition 2 — 1\ < 3 — 1\ is 
to guarantee that the minimum required time for t\ to have the guard enabled does not 
let the location invariant of P 13 be violated. Constraint 3 — 1 \ < aq — t Sl is to ensure that 
the latest delay for enabling the transition, i.e., time elapse of t\ to reach the boundary of 
invariant (which is larger than 2 — 1 \, the shortest delay required to enable the guard), is 
less than the time it takes t Sl to reach aq. This makes it possible to jump to location p 10 . 
Constraint 5 Robot2 = (p 2 0 A 3 — ti < a 2 - t S2 ) V (p 2 1 A 3 - ti < q 2 - f 2 ) V (p 22 A 3 - < 

4 — t 2 ) V (p 2 3 A 3 — 1\ < 2 — f 2 ) is to ensure that Robot 2 is able to stay within its location, 
before the discrete jump is taken. Note that the clock condition at pis involved in the 
interaction releasel ensures that time cannot be delayed at infinity. 

Now, consider the assignment v = {oq = fii = a 2 = /? 2 = 30,71 = 5 , 7 2 = 20,771 = 
0, r ]2 = 15}, which results in an infinite behavior on the interaction level, as presented by 
the w-word (takell ltakelr releasel take2l, take2r release2 reset)“. 

Definition 3 (Properties). We consider three types of properties: 

— Component-level properties <pc « r e constraints over V. 

— Safety properties 4> s tate are state properties to be satisfied in every reachable state of 
the system. Typically, they are location-wise and express relations between clocks. 

— Interaction-level properties <pi n t are LTL specifications over E. A concrete timed 
system S(v) satisfies 4>i nt iff every time run p of S(v) involves infinitely many dis¬ 
crete jumps, and the corresponding ui-word ps is contained in <j>i n t by standard LTL 
semantics. 














Example 2. Consider the following properties to be synthesized for the robot running 
example as displayed in Figure [Tj 

— All parameters should be within [0,30] [Component-level property]. 

— Deadlock freedom [Safety property]. 

— ti+t '2 should always be less than 60 [Safety property]. 

— Promptness / exclusiveness: (f> pr0 mpt '■= /\j G(taked —> X /\-^ _| takejl), i.e., disal¬ 
low Robotj to perform take^l immediately after takej from Robof [Interaction-level 
property]. 

Definition 4 (Timed Orchestration Synthesis). GivenS = (V, C, E, A) and prop¬ 
erties fic > <t>state t fiint, the problem of timed orchestration synthesis is to find an assign¬ 
ment v for V such that v satisfies fic, an d S(v) satisfies both fi s tate and fiint! such a 
satisfying assignment v is also called a solution. 

For example, the assignment given in Example [I] is a solution for timed orchestration 
synthesis when applied to our running example. 


3 Timed Orchestration Synthesis 


This section describes our main constructions for solving timed orchestration synthesis 
problems. We first translate timed orchestration synthesis problems for LTL properties 
to corresponding synthesis problems for safety properties (Sec. 3.1). Second, 3VSMT 


constraints are generated for the latter problem, whereby existential variables quan¬ 
tify over the parameters to be synthesized and universal variables quantify over system 


states (Sec. 3.2). Third, the 3VSMT constraints are solved by means of two alternating 


quantifier-free SMT solvers (Sec. 3.3) for each polarity. In order to simplify the exposition 


below, we omit fie as it ranges only over the existentially-quantified parameters in V, 
and concentrate on the properties fistate and fiint- 


3.1 Transforming Interaction-level to Safety Properties 

To effectively synthesize parameters such that interaction-level properties fiint are sat¬ 
isfied, we adapt bounded LTL synthesis [ 23 ] to our context. The underlying strategy is 
to construct a deterministic progress monitor from fiint ■ The monitor is meant to keep 
track of the final states visited in the Biiclii automaton corresponding to —‘fiint 

during system execution. To achieve this, we equip the monitor with a dedicated risk 
state representing that a final state in A^,p iTlt has been visited for k times. When the risk 
state is never reached for all possible runs, all final states in A-,tj, int are visited finitely 
often (i.e., less than k times). This observation is sufficient to conclude that the system 
satisfies fiint- This is the intuition behind Algorithm [T] 

Algorithm [l] uses E,p irit C E to be the set of interactions from fii nt and ff as a symbol 
not within E. On Line [2] the symbol ff is used to mark labels corresponding to interac¬ 
tions a not appearing in fii nt . On Line [3] a deterministic progress monitor is constructed 
by unrolling A^(f, irlt via function monitor (A^ iTlt ,/c), which is similar to the 
approach in bounded LTL synthesis [ 23 ] ■ Consequently, we omit it and instead provide 
a high-level description of what it does (see below example for understanding): Starting 
from the initial state of A^<f, irlt , U {#} is used to unroll all traces of A^<j, int and 





to create a deterministic monitor C'-, 0 jnti fe. Each locatioij^] in C-,fc ntt k records the set of 
states being visited in the Biichi automaton. For each location, the number of times a 
final state in has been visited previously is counted. The algorithm maintains a 

queue of unprocessed locations. For each unprocessed location in the queue, every inter¬ 
action a £ £<j, irit U {#} is selected to create a successor location respectively. A state s' 
is stored in the successor location, if state s is in the unprocessed location and if in the 
post-processed Biichi automaton, a transition from s to s' via edge labeled a exists. In 
addition, the number of visited final states is updated. Whenever a final state in 
has been visited k times, the unroll process replaces the location of by risk, a 

dedicated location with no outgoing edges. 

Once the monitor is constructed, an augmented system Si nVi k is created from S 
(Line [5]). The interaction set in the augmented system St nv ^k is the one from Line [4] 
where all property-unrelated interactions er are marked with Finally, on Line [ 6 ] the 
state predicate (pdeadiock expressing the deadlock condition is constructed from the new 
set of interactions. 


Algorithm 1 Translate (pint into 4>deadiock and construct a monitored system Si nVi k 


Input: S, (pint, k 

Output: Sinv : ki (pdeadiock 

1: construct a Biichi automaton for the negated property of (pint 

2: postprocess A^ int by replacing every label — icr with Uj> int \ {cr} U {#} 
3: := monitor {A^ int , k) 

4: A inVt k{cr) := cr 6 ? A(a) U {C-,^ int ,k-a r} : A (a) U 

5- Sinv,k (V, C U E, A inVt k) 

6. (pdeadlock •— 'CTh (d) 

I. return Sinv,k: (pdeadlock 


Example 3. We illustrate the steps of the algorithm [Tj using the robot running example. 
Figure[2-(a) illustrates the result - 4 -, 0 prompt for property (p pr0 mpt (Line[l|, and (b) displays 
the result after post-processing (Line [ 2 ]). 

To illustrate the result of unrolling in Line[3j Figure |2]-(c) shows it for k = 1. There, 
the initial location stores {so[s 3 ( 0 )]}, where [ss( 0 )] is to indicate that at so, one has not 
yet reached S 3 previously. When the initial location {so[s 3 ( 0 )]} takes interaction takell, it 
goes to {so[s 3 ( 0 )], Si[s 3 ( 0 )]}, as in Figure [2}- (b), state so can move to so or Si. Notice that 
it a destination location has possibly been created previously. For example, in Figure [2} 
(c), for the initial location {s o [s 3 ( 0 )]} to take interaction it goes back to {s o [s 3 ( 0 )]}. 
For |so[s 3 ( 0 )], Si [S 3 (0)]} to take interaction take 2 l, it moves to a new location {s o [s 3 ( 0 )], 
S 3 [s 3 (l)], S 2 [s 3 ( 0 )]}. This new location is then replaced by risk, as in this example, we 
have k = 1 . 


5 To avoid ambiguity, we call a state in the monitor component “location” while keeping the 
name “state” for Biichi automaton. 











As for the new interaction set in the monitored system, we show two examples with 
respect to whether the interaction is in 4 > prornp t'. 

Ai nv ,k{ takell) = {Ro&ofi.occupyl-I, Buffer 1 X^ke 1 C-,^, t . takell} 

Ai n v,k{ take2r) = {Roboh- occupy2-r, Buffe^.take, C-^0 prompt .#} 



Fig. 2. (a)(b) Biichi automaton for -i 4> pr ompt before and after postprocessing, (c) C-,^ prompt , 1 . 


Notice that the introduction of ff symbol simplifies the unroll construction in bounded 
synthesis. Another difference to vanilla bounded synthesis is that, in the context of un¬ 
rolling, every state has outgoing edges of size | Ufc nt U{#}|. In contrast, in bounded LTL 
synthesis, each er is viewed as a Boolean variable, which creates, in the worst case, on 
the order of 2 '^' outgoing edges. 

The following result reduces timed orchestration synthesis for interaction-level prop¬ 
erties to a corresponding timed orchestration synthesis problem on state-based properties 
only. 

Lemma 1. Given v an assignment ofV, S(v) satisfies 4>i nt if all time runs of Si nv ^(v) 
reach neither the location risk in nor a state where 4>deadiock{ , o) holds. 

Proof. (Sketch) Assume that any time run p in Si nVi k(v) does not visit location risk or 
any state where fideadiock(v) holds. We need to show that S(v) satisfies fimt- 

1. Because (/>deadlock{v) does not hold and because time runs are maximal, any such 
time run p is infinite. 

2. From an infinite time run p , we show that p defines an w-word ps- as <fideadiock( v ) 
is never reached, Vo-gi; en 1 2 3 4 (cr)(i;) is an invariant for all reachable states. Recall that 
en*(cr) is the necessary condition for enabling a location to trigger er by only allowing 
finite-time evolving. Therefore, for all reachable states, one of the interaction (discrete 
jump) must appear after finite time. Thus, p contains infinitely many discrete jumps 
and consequently, p defines an w-word ps- 

3. By construction, every location in the monitor has edges labeled in er g U {#}, 

and ff marks each property-unrelated interaction in £ \ (Line [4]). From this 

observation, together with the fact that Si nV} k(v) does not restrict the behavior of 
S(v), we have that a time run p in Si nVj k(v) not reaching risk is bisimilar to a time 
run p' in S(v), with p and p' defining the same w-word ps- 

4. Recall that C is an unroll of From this, together with the existence of 

ps and the fact that while running in no final state is reached infinitely 

many times, we have that ps does not satisfy -><f>i n t■ Consequently, we can conclude 
that for every time run p' in S(v), the corresponding ps satisfies ^int■ □ 








By Lemma[I] it is sufficient to only consider safety properties when performing orchestra¬ 
tion synthesis. Notice howerver that, if for a given fixed k Lemma [l] fails for all possible 
assignments v then one may not conclude that no solution exists for the orchestration 
synthesis problem as there might be a larger k for which Lemma |T] does hold. 

Next we show that it is futile to go beyond a reasonable bound. More precisely, if the 
domains of the parameters in the input system S are bounded, then one can effectively 
compute a limit k* on k such that: if Lemma [l] is not applicable for k* then it is also not 
applicable for any strictly larger k. 

Lemma 2 . Let all parameters in S have bounded integer domains with common upper 
bound A and S be the number of regions in S when all parameters within the location and 
guard conditions are assigned A. Let |-d^ 0 irlt | be the number of locations in A^ int , and p 
be the number of discrete location combinations in S, i.e., p = IQ 1 HQ 2 I • • ■ \Qm\- Finally, 
let k* = S 2 p 2 \A^ int \\S\ + 1. 

Given v an assignment ofV, if there exists a time run of Si nVt k*(v) reaching either 
risk in or a state where (j>deadlock^) holds, then S(v) does not satisfy cfint- 

Proof. (Sketch) Let p be a time run of Si nv ,k*{v) which reaches either risk in 
or a state where (f deadlock^) holds. We have two cases: 

— Case 1: risk is not reached, equally, p reaches a state where 4>deadiock{ v ) holds. The 
deadlock of Si nv ^k* (f) under p is irrelevant to the monitor component, as the monitor 
component does not hinder any execution apart from risk. Therefore, S(v) contains 
deadlock states, and S(v) does not satisfy 4>i n t, as reaching a deadlock state means 
that one can not create an w-word from that time run. 

— Case 2: risk is reached in the fc*-th unroll. We need to show that with a prefix of 

a violating time run p in Si nVt k*(v) that visited one final state s in _ 4 -, 0 irlt for k* 
times, one proves, by tailoring a fragment of p, the existence of a time run p' in S(v) 
such that the w-word of p' , when applying to A^^ irlt , guarantees to visit s arbitrary 
many times. This is done with the help of two results: (1) the number of regions in 
a timed automaton is finite, and ( 2 ) the pigeonhole principle, concrete values, the 
system is a timed automaton and the number of regions is finite. The total number 
of regions is bounded by 6. Recall that the executions in C-, 0 irlti fc reflect executions 
in the Biichi automaton A^ irht . Consider a discrete jump in the system. With a 
specific destination state s in A^<p int , one can actually capture a discrete jump in 
Sinv,k{v) by only viewing its change in regions and locations. To reflect such changes, 
we use tuples (,{rsource, l source, ^source), {r d est, ldest, F)), where r SO urce and rdest are 

source and destination regions in S(v), l SO urce and Idest are source and destination 
location in S(v), s source is the source state in A-,<j) int with interaction a £ E. The 
total number for all such (( r source , l SOU rce , s SOU rce), o, ( r dest , l des t , s)) tuples is bounded 
by 5 2 rj 2 \A^<f >irlt \\E\. Therefore, when the violating p visits a particular final state s 
in A^cfi int for k* times, in the corresponding region representation, one particular 
tuple ((r source, hource , s SO urce), cr, ( r d est , ldest, s)) should have appeared twice (due to 
pigeonhole principle). The clock valuations associated to l SOU rce, resp. l des t may be 
different in the two tuples. However, the corresponding states are region-equivalent 
and consequently bisimilar. Thanks to this, S can evolve region-bisimilarly until the 
tuple {{rsource, Isource, s S ource), &, (j^dest, ldest, &)) appears foi the third time, and so 
on. While repeating this pattern a time run visiting s infinitely often is constructed. 


Usage 

Tactic 

Index 

Input (structure of the system) 

Generated constraints (and their meanings) 


1 

fInv(lr\ 

\ W J ... \ In J 

• li,... t l n are locations in a component 

Implications from locations to timings: 

(Zi Inv(li)) A ... (l n Inv(l n )) 

or equivalently, from timings to locations: 

( -ilnv(li ) —+ —«Zi) A ... (-1 Inv(l n ) —> —>l n ) 

2 

, S uard: C > 

reset:c, c —. 1 - Q- -^.1 , I—► 

J reset:c " l ‘2 y 

reset :c, c ^-^ 

• All incoming edges of Zi reset c and d 

• I2 only has one incoming interaction 

Exploiting (simultaneous) resets: 

me = d at Zi so d > x at I2 (guard c > x on cr) 

• the time elapsed from Z1 to I2 is of at most x\ + X2 
(c is reset on cr) 

(li V Z2) —>■ (c 7 < xi + X2) and h (d > x) 
or equivalently, 

(d > aq + X2) —> (-'ll A -1Z2) and (c 7 < x) —1Z2 

3 

resetguard: c > x^ 

reset:c--g jO reset :c *2 ) 

reset - x ^ 

• All incoming edges of Zi reset c 

• One edge from Zi to I2 is used in interaction <7 

• I2 only has one incoming interaction named cr 

• Without history: if Z2 has only one incoming egde, 
then for local clocks c 7 not being reset in cr: 

I2 d > c + x 

• With 1-step history: for all clocks d which are 
not involved in cr or which are not reset 
when cr takes place: 

I2 A (preVp) d > c + x 

Psafe 

4 

Vl/' 

CT 2 ij guard ( j 1 

— Ik}"' - ▼ ▼ 

• In untimed reachability graph, Zi, Z2, • • •, Ik 
lead to risk 

• Starting from initial location, all paths 
which lead to risk must pass Zi, Z2, - - -, Z^ 

• For li G {Z1, 12, • • •, Z fc }, it at least has one edge 
which can avoid leading to risk. 

In a game-theoretic setting, nodes Zi, I2, • • •, Ik 
are boundaries of the winning region without 
entering the risk attractor 

Fences - based on untimed reachability analysis 

Concept: li G {Zi, I2, ■ ■ ■, Z*.}, all of its edges 
leading to risk must NOT be enabled, before the 
latest time where one escape edge can be executed. 

E.g., for Z3, the generated constraint is 

Z3 —> (Inv(l q ) —¥ —iguard ai ) 

This is because the latest time for <72 to execute 
is governed by Inv(l q ), and the earliest time for cri 
to execute is when guard ai holds 


Fig. 3. A list of tactics for generating system invariants (tactic 1 to 3) and p sa f e (x,y) (tactic 4). 




3.2 Generating 3V-Constraints for Safety Synthesis 

Now, we reduce timed orchestration synthesis problem for safety properties to corre¬ 
sponding 3VSMT constraints of the form 


3x e <f>c : Vy : <f>s(x, y) -> {<f> state A ~deadlock {x,y) A 

P safe (abJ/)), 


(1) 


where a; is the set of unknown variables to be synthesized, y is the set of clocks, locations, 
optional variables for encoding the history of interactions, 4>s{x,y) is the summary as 
an over-approximation of system dynamics, -> 4>deadiock{x,y ) is the translation of (pint 
into a safety property as described in Section 3.1 and p sa f e (x,y) is a disjunction of 


sufficient conditions for not reaching location risk. Constraints (pc and <p s tate are given 
system requirements as mentioned in the problem formulation in Section [2j For ease of 
reading, we use the notation k > 0, respectively k = 0, to distinguish the case when 
fc-step interaction-history is encoded by means of universal variables from the case when 
interaction-history is not used at all in the generation of <j>s{x,y). We note that any 
solution for Formula Q is a solution to the problem formulated in Section [2j 


Generating <ps(x, y) k=0 . Our approach to characterize the behavior of the system is 
compositional. This way, we avoid computing the whole product, which is, in most non¬ 
trivial cases, a costly operation. Instead, our computed invariant is the conjunction of the 
following three: ( 1 ) invariants for each component, ( 2 ) invariants capturing conditions 
when synchronization appears, and (3) untimed reachability. 

(1) Component invariants CI(G,) are properties characterizing components C t . We do 
not restrict their computation to a specific methodology. What matters is that such 
properties can be shown to be invariants. In our framework, where components are 
parametric timed automata, one way to obtain invariants is to compute abstraction^ 
of classical zone graphs m- Zone graphs are symbolic representations of the reachable 
state space of parametric timed automata. In practice, easier solutions work as well. 
One example is the tactic 1 in Figure [3j As an illustration, for Roboti, by applying 
tactic 1, the resulting invariant is (pio —> t 3l < ay) A (pu —> t\ < 71 ) A (p 12 A t\ < 
3) A (pi 3 —> t\ < 3). By applying tactic 2 and 3 one can derive the additional 
conditions for Roboti and Robot 2 : 

- (tsi < 771 ) -A (pn) and (fs 2 < r? 2 ) -k (p 2 1 ). 

- (tsi < pi + 2) -*• (^pio A ->pi 3 ) and (ts 2 < y 2 + 3) -S> (^p 20 A -^p 23 ). 

- (ts 1 > 71 + 3) -A (-ipn A -HP 12 ) and (ts 2 > j 2 + 4) -)• (->p 2 i A ~^p 22 ). 

- {tsi > 71 + 3 + 3) -k (pro) and (ts 2 > j 2 + 4 + 2) ->■ (p 20 ). 

(2) Discrete-jump invariants Ilg are global clock constraints inferred either (a) statically 
from resets on incoming transitions or (b) from the simultaneity of interactions and 
the synchrony of time progress. Such constraints are generated by applying tactics 2 
and 3 of Figure [3] 

(a) Consider location p 12 in Roboti■ It has one incoming edge which resets clock ty. 
As no other clock in the system is reset, and the incoming edge has guard ti > 771 , 
one derive that (pi 2 ) —k (t Sl — ti > rji), i.e., in location pi 2 , all other local clock 
readings should at least be pi unit larger than t\. 


In general, the reachability problem is undecidable [2], We refer to m as a pointer for the 
computation of symbolic state abstractions. 




(b) Consider interaction reset. It leads to location (pn, —, — ,p 2 i), where initial state 
is located. One can derive the invariant (pn Ap 2 i) —t ( t Sl = t\ = t S2 = t 2 ). By 
a similar argument, one can also infer that t Sl = t S2 holds, due to unique clock 
reset action on reset. 

(3) Untimed abstract reachability invariant Abs(S) is the set of reachable location combi¬ 
nations of S by ignoring clocks and by only considering the lockings by interactions. 
E.g., with untimed reachability analysis from initial locations, one can deduce that 
(pnAp 2 i) -A (/ 10 A/ 20 ), he., buffers are not occupied before both robots start. Notice 
that Abs(S) is not sensitive to parameter change due to its ignoring of clocks. 


Remark 1. Commonly, a tactic creates constraints of the form (f>i oc —> clock, where (floe 
is a formula over locations and f> c iock is a property associated with clocks. As 4>i oc —t 
4>dock = ~><j> clock —> ~^4>ioc, the 3V-solver also uses such constraints to reason that under 
concrete timing conditions, it is impossible to be in a state in Abs(S). To illustrate this, we 
return to the robot example. In the untimed setup, Roboti and Robot2 can execute takell 
and subsequently take2l. Therefore, state (pi2,P22, risk) is within Abs(Si nv ^k)- However, 
under a parameter assignment as 71 = 771 := 0 and 72 = ' 1)2 := 15, the constraint solver 
invalidates such a state by the following reasoning: 


— When Robot 2 is at P 22 , t S2 > 772 , he., t S2 > 15 (by tactic 2 in Figure[3]). 

— t S2 = t Sl (from Item (2)), so t Sl > 15. 


— As ( t Sl > 71 + 3 + 3) —> (pio) (from Item (1)) and 71 = 0, Roboti must stay in p 10 . 


Therefore, the reachability of ( Pi2,P22, risk) in Abs(Si nv k) is invalidated under parameter 
assignment 71 = rj 1 := 0 and 72 = 772 := 15. 


We define (j>s{x,y) k=0 as Ac ; eC A 11$ A Abs(S) and denote (j>s(x,y) k ^°(v) to 

be the result of replacing the unknown variables V by assignment v in CI{Ci) and 11$. 
Using the fact that the conjunction of invariants is an invariant itself, it can be shown 
that indeed 4>${x,y) k=a is an invariant of S. 


Lemma 3. For any assignment v for unknown parameters, 4>${x, y) k °(v) is an invari¬ 
ant of S(v). 


Generating 4>s(x, y) k>0 . For 3V-constraint solving, the precision of system invari¬ 
ants plays an important role. Given the set of interactions A, one can introduce a set 
of Boolean variables {prev k \ a £ A} to record k -previously executed interaction. As an 
example, consider tactic 2 in Figure [3] When one records the previously executed in¬ 
teractions, the condition d > c + x is associated with location l 2 and the previously 
executed interaction er. Assume that l 2 has another incoming interaction a', which does 
not reset c. Then a memoryless approach (i.e., no history) needs to take the disjunction 
of conditions from all incoming edges, thereby losing the knowledge of d > c + x. 

The price for recording fc-step interaction history, given S as the set of interactions, is 
only at the cost of introducing k\S\ Boolean variables as universal variables. In a similar 
manner as for Lemma [ 3 J it can be shown that (f>s{x,y) k>0 is an invariant of the system. 


Generating p sa fe( x , y) with “fence” constraints. An intuitive yet sometimes suffi¬ 
cient way is to assign p sa f e (x,y) to be simply — irisk. However, one can also introduce other 
constraints p±,..., p n , where each of them is a sufficient condition to block the run to 




enter risk, and set p sa fe{%, y ) := (—^risk) A VT=i Pi> and leave the finding of solutions to the 
3V-solver. The computation of these constraints should be light-weight. Here we present 
the fence-condition tactic (index 4 of Figure [3]) which only involves the computation of 
backward untimed reachability and the static scan of components. 

The underlying concept is to find a set of nodes Zi, fo, ■ ■ ■ ,h in the abstract reachability 
graph, where every path that leads to risk must pass one node k £ {Zi, l 2 , ■ ■ ■, h}- At each 
node there exists at least an “escape edge” which can avoid leading to risk. Finding such 
a set is done by solving a safety game (using standard attractor computation defined in 
two-player, turn-based games over finite arena; see m for details) with all nodes viewed 
as control vertices. Here we explain the attractor concept using examples. In Figure [3] 
the computation of attractors adds gradually {ai}, {^ 2 } (as one outgoing edge leads to 
risk and the other leads to af), { 0 , 3 , d/f} to the attractor of risk. Nodes such as I 3 are 
outside the attractor, as it can use o 2 to escape. 

With {/ 1 , Z 2 ,.. •, Ik} identified, whenever one can guarantee that at node Z*, interac¬ 
tions which leads to the attractor will never be executed, then one can guarantee that risk 
is never reached from the initial state for any time run. For U £ {Zi, l 2 , ■ ■ ■, Zfc}, let £ a ttr,i 
be outgoing interactions which leads to attractor and E s t r ,i be the winning strategy on 
l, to escape from the attractor. For interaction tr, let guards be the guard condition for 
which a can take place. We restrict ourselves to such that guards are conjunctions of 
form clock ~ k where ~ £ {>, >}. Then we can create the following constraint: 

k 

A A & V T guards)) 

&£2Jattr,i str,i 

Intuitively, the constraint specifies that at Zj, as long as when an interaction o' from 
£str,i can be executed in the future (i.e., erf (o')), interaction 0 in E attri should not be 
enabled. In Figure[3j for node Z 3 , as en t (o 2 ) is merely the invariance condition on l q , we 
have Z 3 —> ( Inv(l q ) —> ->guard ai ). 


3.3 Finding Satisfying Instances for 3V Formulas 

We outline a verification procedure implemented in EFSMT for solving constraint prob¬ 
lems of the form 3x\/y : <f>(x,y), where 4>{x,y ) is a quantifier-free formula involving two 
variable sets x and y. This class is generic enough to fit formulas such as Formula <[T|) 
in Section 3.2 The verification procedure is based on two SMT solver instances, the 
so-called E-solver and F-solver. These two solvers are applied to quantifier-free formulas of 
different polarities in order to reflect the quantifier alternation, and they are combined 
by means of a counter-example guided refinement strategy. 

At the Zc-th iteration, the E-solver either generates an instance Xk for x or the procedure 
returns with false. An Xk provided by the E-solver is passed to the F-solver for checking 
if 3 y : -«l)(xk,y) holds. If not, then Xk is the witness for the problem 3 x\/y : <f>{x,y). 
In case there is a satisfying assignment yk generated at the fc-th iteration, the F-solver 
passes the constraint <p(x,yk) to the E-solver, for ruling out such x as potential witnesses. 
Future candidate Xk +1 from the k + 1-th iteration should therefore not only satisfy 
4 >{xk+i, 2 / 0)5 • • •, <j>(xk+i, Vk-\) but also allow (f>(xk+i,yk) returning true (an example is 
listed below, for the ease of understanding). 

In many cases the domain of integer parameters is bounded, and the EFSMT solving 
algorithm is terminating] as there are only finitely many variable assignments. Consider, 


' In general, the pure usage of two quantifier-free solvers do not guarantee termination nn. 




for example, a constraint such as 3xi £ [0,100] fl Z, Vj/i £ [10, 20] H R : X\ — y\ > 
80. Assume that the explicit enumeration and EFSMT both start with the order X\ = 
0,1,..., 100. In these cases, brute-force enumeration method need to iterate 100 times, 
until they find x\ = 100 (the only satisfying instance). For EFSMT, if X\ = 0, then 
the counterexample provided by F-solver, for instance, y\ = 10, falsifies it. After this 
step, E-solver creates a new assignment by ensuring x\ — 10 > 80 thus immediately 
jumping to X\ = 90. Consequently, it omits checking assignments X\ = 1,..., 89. In 
other words, our solver may be viewed as an acceleration of explicit enumeration of SMT 
via counterexamples. 

4 Extensions 

Due to the reduction of timed orchestration problems to 3VSMT on can readily handle 
richer arithmetic constraints in synthesis problems. We briefly outline how quantitative 
synthesis, robustness synthesis, and synthesis beyond PTA may be encoded. 
Quantitative Synthesis. In practice one is usually interested in obtaining parameters 
for optimized system behavior (e.g., min, lexicographic). For example, one might be in¬ 
terested in obtaining a minimum value for the parameter oq in our running example 
in in Figure [T] In solving the corresponding 3VSMT constraints using the proposed two 
solver approach, one may simply use an E-solver with optimization capabilities — e.g. a 
MaxSMT solver such as m) instead of an SMT solver. In this way, the proposed 
solution of the E-solver is optimal with respect to the current set of constraints. 
Robustness Synthesis. Using 3VSMT constraints, the imprecision of system may be 
modeled by means of universally-quantified, bounded variables. For example, one may 
model the imprecision for a a guard t\ > 2 by t\ >2 + 5, where 5 £ [—0.05,0.05], and 

5 £ [—0.05, 0.05] is added as a new universally-quantified variable in the 3VSMT. 
Beyond PTA. Using the full expressivness of 3V-constraints, one may also encode 
guards, for instance, t\ + 3 £4 > 10, which go beyond clock constraints of plain PTAs. 

5 Evaluation 

The above extensions come for free with our prototype tooj^] which we have developed for 
implementing the concepts in Section [3] Technically, the prototype automatically gener¬ 
ates monitor components based upon the LTL2Buchi transformation El for generating 
Btichi automata. The symbolic reachability underlying the computation of Abs(S) and 
the attractor computation for fence conditions use JDE0 a Java package for efficiently 
manipulating Binary Decision Diagrams (BDDs). The construction of the 3V constraint 
solver is based upon the combination of our E-solver and F-solver which in turn wrap 
SMT-solver Yices2 |12j when quantifier-free constraint solving is needed. 

Tables [l] and [ 2 ] show the results of our initial evaluation (under Intel i5-4300u CPU, 
8 GB RAM, Ubuntu 14.04 64-bit OS). The recorded execution times for other tools (e.g., 
IMITATOR) are based on the newest tool versions available for download. For the robot 
problem in Table[l] the constants in one automaton differ from those in the other automa¬ 
ton. This is in order to avoid symmetric effect and more importantly and additionally, 
to be closer to more realistic settings. As an example, using the same experiment setup 
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Example 

num para. (3) 

parameter range 

num V variables 

EFSMT time (sec) 

Robots 

12 

[o, 30] n z 

6 real, 9 Bool 

1.262 

RobotA 

16 

[o, 30] n z 

8 real, 12 Bool 

3.037 

Robots 

20 

[o, 30] n z 

10 real, 15 Bool 

33.424 

Robots 

24 

]o, 30] n z 

12 real, 18 Bool 

165.856 

Robot7 

28 

[o, 30] n z 

14 real, 21 Bool 

from 154.958 to 1026.992 

Worker 10 

1 

p < 1000 

10 real, 12 Bool 

0.040 

Worker 20 

1 

p < 1000 

20 real, 22 Bool 

0.079 

Worker 30 

1 

p < 1000 

30 real, 32 Bool 

0.195 

Worker 40 

1 

p < 1000 

40 real, 42 Bool 

0.371 

Worker 50 

1 

p < 1000 

50 real, 52 Bool 

0.561 


Example 

num para. (3) 

parameter range 

num V variables 

IMITATOR time (sec) 

Robots 

20 

[o, 30] n z 

10 real, 15 Bool 

570.88 

Robots 

24 

[o, 30] n z 

12 real, 18 Bool 

t.o. (> 3600sec) 

Robot7 

28 

[o, 30] n z 

14 real, 21 Bool 

t.o. (> 3600sec) 


Example 

num para. (3) 

parameter range 

num V variables 

UPPAAL “verification” time (sec) 

Robot7 

28 

[o, 30] n z 

14 real, 21 Bool 

15.56 

Worker 50 

1 

p < 1000 

50 real, 52 Bool 

t.o. (> 600sec) 


Table 1 . Evaluation results for deadlock, and comparison with other synthesis and verification 
tools. Worker is a modified (by creating unknowns) example from [6j. 


Example 

Property 

num. 3 

parameter range 

num V variables 

EFSMT (sec) 

Robots 

Deadlock-free, LTL 

12 

[o, 30] n z 

6 real, 12 Bool 

1.412 

RobotA 

Deadlock-free, LTL 

16 

[o,30] n z 

8 real, 15 Bool 

17.765 

Robots 

Deadlock-free, LTL 

20 

]o,30] n z 

10 real, 18 Bool 

301.665 

Robots 

Deadlock-free, LTL 

24 

[o, 30] n z 

12 real, 21 Bool 

4262.047 

MES2 

Error handling (using U) 

2 

[o, ioo] n z 

2 real, 12 Bool 

0.041 

MES2 

Error handling (using U) 

2 

[o, 40] n z 

2 real, 12 Bool 

0.169 (no solution) 

MES2 

Parameterized handling (using U) 

2 

[o, 200 ] n z 

2 real, 2 int, 12 Bool 

0.135 

MES2 

Parameterized handling (using U) 

2 

[o, ioo] n z 

2 real, 2 int, 12 Bool 

0.479 (no solution) 

MES3 

Prod. seq. control 1 (using X, F) 

4 

[o, ioo] n z 

3 real, 18 Bool 

0.204 

MES3 

Prod. seq. control 2 (using X, F) 

4 

[o, ioo] n z 

3 real, 18 Bool 

5.341 (no solution) 


Table 2. Experimental results for LTL properties. 


to run IMITATOR for five robots already takes about ten minutes (EFSMT is about 
one order of magnitude faster). In Table [lj we do not list the time needed for gener¬ 
ating constraints, as it is neglectable compared to 3V-constraint solving (for abstract 
reachability, even for 10 robots it takes less than 5 seconds). However, the ordering of 
the constraints may greatly influence timings. Consequently, obtaining good results for 
synthesizing parameters to enforce safety properties requires both a good solver and a 
tailored constraint structure suitable for exploiting the locality of constraints. In our case, 
this is truly possible thanks to our local component invariants. 

From Tabic [l] readers may be surprised by the timing for ensuring promptness in the 
case of 6 robots. The increase in computation time follows from EFSMT searching for all 
possibilities without finding any, as the sum of all mode upper bounds is greater than 30. 
Another interesting behavior which occurred during our evaluation exhibits that the non¬ 
determinism within SMT solvers (for Robots it creates multiple satisfying assignments) 
may drastically influence performance. 

Table[l]also shows the result of analyzing the temperature controller problem modified 
from [6], where only one unknown parameter needs to be synthesized. In the experimental 
setup, the search starts from [3 = 999, then it quickly prunes the search space and 
identifies the result in about 2 to 5 steps. This is the reason why the computation time 
is surprisingly small, and clearly demonstrates the superiority of EFSMT over a brute- 
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Fig. 4. A sample cereal packaging line. 


force enumeration method. However, as our parameterized timer invariant generation is 
far from precise, our generated result is not optimal. Still, for verifying our result using 
UPPAAL, it takes more than 10 minutes for 50 workers. This demonstrates that at least 
some problems may be solved by inferring synchronization properties without paying the 
price of doing holistic state space exploration. 

5.1 Flexible Production System Case Study 

In discrete manufacturing, individual workpieces are treated in multiple processing steps, 
typically organized sequentially with multiple machines. Under the initiatives of Industrie 
4 .0, it is generally perceived that machines can communicate their status, mainly on their 
state changes. This view fits well with our methodology. To see this, it suffices to adopt the 
interpretation where one can isolate the functionality of every machine as components 
with parameters and design each component without the use of global clocks. Along 
these lines, as an application of our method to discrete manufacturing, we use simplified 
packaging line as a case study in the food & beverage segment. The main components are 
displayed in Figure]!] More precisely, Figure[4]illustrates a Form-Fill-Seal (FFS) machine 
which fills parts produced in the upstream process into plastic bags. In turn, the plastic 
bags are packaged into boxes by a packaging machine. Finally, cartons are placed on 
a pallet for shipment. We assumed that the product to be created is breakfast cereal, 
while retailers can request variations on bag size and box capacity in terms of x grams 
per bag and y bags in one box. To handle such product variations realized by the two 
variables x and y, we simply need to encode them as universal variables. On the other 
hand, FFS machine parameters are encoded as existential variables: the execution times 
for filling, respectively sealing, are configured by a, respect(/3 sec). In the automaton for 
FFS, these variables are placed as the guards and location conditions to represent the 
lapse of time. By encoding the problem into EFSMT, we are able to synthesize a and /3 
such that it works for all x and y specified in the range. For example, a typical encoding 
is 3a,PMx e [100,300] Of My € [10,24] nZ. 

For this scenario we formulate a system description together with properties for ex¬ 
cluding undesired action sequences such as “when the packaging station buffer is full, 
FFS should stop shipping until the buffer has space”. This property is encoded in terms 
of the interaction-level LTL formula 

G(Packaging.stackfull —> (UFFS.ship U Packaging.stackavailable)). 

Applicability and limitations. We apply our solver for solving the timed orchestration 
problem on interaction-level properties; the results of this case study are summarized in 
Figure]!] For those properties where EFSMT successfully synthesizes parameters, we also 










tried to restrict the domain and recorded required time for EFSMT to report “unable to 
find a solution”. Our solving approach seems to scale well because of the use of com¬ 
positional techniques, but at the expense of precision for relations between clocks from 
different components. Moreover, due to recording the history of interactions, our solver 
seems to perform well on LTL formulas include F or U, since these properties are trans¬ 
lated into a template “whenever an event occurs, something good should happen within 
a finite number of steps” by means of unrolling. Finally, we note that constraint group¬ 
ing and variable ordering plays an important role in the performance of the underlying 
SMT solver Yices 2. More precisely, we observe in our experiments a sever performance 
penalty whenever constraints are not properly grouped or whenever the evaluation or¬ 
der of variables does not respect the grouping. Informally, a constraint grouping may be 
called proper if the grouping in EFSMT follows that of the constraints in the invariants 
for untimed reachability. These invariants are computed by means of BDDs and FORCE 
ordering heuristics [T] in our implementation, which results in relatively compact repre¬ 
sentations and to also reduce the size of invariant constraints. 

6 Conclusions 

The main contributions of this paper include (1) encoding of line integration problems in 
terms of timed orchestration synthesis, (2) upper bound on the number of unrolling steps 
in bounded synthesis for PTA, (3) encoding of timed orchestration synthesis in terms of 
3VSMT, and (4) set of computationally-cheap over-approximations for avoiding overly 
eager and expensive computations of the precise parametric images of the set of reachable 
states. Some of the key ingredients of this logical approach to solving timed orchestra¬ 
tion problems include the translation of deterministic monitors from LTL properties, the 
generation of parametric invariants, the use of two SMT solvers for 3V constraints, con¬ 
straint grouping and variable ordering. We demonstrate the feasibility of this approach 
by means of solving some typical line integration problems as encountered in industrial 
practice; it still remains to be seen, however, if and how the proposed methodology and 
tools scales to solving orchestration problems for real-world production lines. In future 
work, we therefore plan to go beyond w-words when considering interaction-level LTL 
properties, develop static analysis techniques on the system structure for obtaining cheap 
invariants, investigate hierarchical solving approaches, and to extend the orchestration 
synthesis problem to hybrid systems. 
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